Skip to content
Chimera readability score 0.5359 out of 100, reading level.

Compliance change management is a major challenge for financial institutions as they attempt to analyse hundreds of new regulations and updates every year. Alison Young, Deputy Head of Financial Crime Compliance at Rabobank, sat down with FinTech Global to explore regulatory change management in 2026.
The current regulatory landscape
One of the defining characteristics of the US compliance landscape in 2025 was around enforcement. While certain enforcement actions were issued, there was also a trend in lifting enforcement actions.
Young also highlighted there were over 10 enforcement actions issued by the Office of Foreign Assets Control (OFAC) over the course of the year. In the same vein, 2025 also saw a greater expectation on financial institutions to take steps to tackle drug cartels. The US government listed multiple cartels as foreign terrorist organizations and the OFAC added various individuals to the Specially Designated Nationals (SDN) list in a bid to freeze assets.
Moving away from enforcement action, 2025 also saw a handful of changes to existing regulatory frameworks. Young pointed to the FAQ issued by FinCEN regarding SAR filing obligations. One notable change explained when you would file a SAR, guidance on continuing activity reviews and taking a risk-based approach to no SAR decisions.
She added, “This guidance could be impactful, but at this point I’m not sure how many financial institutions have actually changed their procedures based on that guidance.”
Another important area of change in compliance was around artificial intelligence (AI). While the technology has dominated talks of innovation for many years, there has been little guidance on frameworks around its use. There is growing interest around how Financial Institutionsare using AI and what controls have been implemented. “Those conversations in the industry around AI, I think are only beginning.”
These are just a small handful of the challenges compliance teams are balancing that will likely continue to evolve over the next 12 months. Heading into 2026, we may see more executive orders and other mechanisms deployed to address certain risks. So, I would expect a little bit more of what we’ve seen in 2025 continue into 2026. Compliance is not static, with new rules or developments that need to be assessed for how it impacts a firm. The effectiveness of a firm’s ability to do this correlates with their regulatory change management workflows.
What does regulatory change management look like?
When it comes to regulatory change management there is no standard format. Each financial institution will have their own system in place with a unique spectrum of manual and automated workflows.
Young has seen a variety of methods in place over the course of her career, but typically has seen a vendor solution that disseminates relevant regulatory updates based on predetermined rules and provides them to the firm. A compliance team then collects this information to analyse whether any changes are needed, whether that is across policies, procedures, systems, tooling, governance, and more.
Young has seen frameworks where an owner of regulatory change will manually log their review and analysis of the change. This information is then usually stored within a spreadsheet or internal tool. Similarly, some firms might implement a dual review, where a member from each of the compliance and legal teams review an update and provide their insights. This allows for a mixture of perspectives and highlights aspects that could have been missed by an isolated review.
Young believes it is important to have multiple opinions on a new regulation. For instance, if there is a new policy focused on financial crime, the firm should engage a key contact from the business that is focused on that area to provide related insights. She said, “Even if it doesn’t look like there’s much to it, it’s still good to send it out and get that impact analysis and confirmation from those key stakeholders that nothing needs to change based on this new information.”
AI complexity
One of the exciting prospects of regulatory change over the coming years is an increased regulatory focus around AI. This interest could help to accelerate the adoption of the technology within compliance and create a plethora of new use cases.
Young noted, “It is not widely used yet in financial crime compliance, and when it is used, its impact so far has not been material for many institutions. I think that will change over the next decade as we learn more, but for now we are coming up with potential use cases for AI, and if we’re lucky, we get to test those use cases. I think we have a long way to go in this space, and again, we’re only starting to scratch the surface of the potential with AI.”
One of the challenges that comes with adoption of AI within compliance, and the wider financial services ecosystem, is its governance. While the technology has impressive capabilities, it is fallible. A simple mistake could cause significant damages for firms, financially and reputationally.
A recent study by Infosys found that 95% of the 1,500 executives it surveyed had experienced at least one problematic incident from the use of enterprise AI. Of the damages incurred from AI incidents, 77% contributed to direct financial loss, but many respondents deemed reputational damage more threatening than financial losses. Without correct guardrails, AI is a risk.
One of the challenges of building effective governance around AI, compared to other areas, is due to the uncertainty of what the ideal framework looks like.
Young said, “We need to inform our governance committees around AI usage, track pilots or use cases with metrics on at least a quarterly basis, if not monthly. We know we need escalation channels to senior management at the organization. We know we need testing and we need model validations if it’s considered a model. There are a lot of things to think about when it comes to AI governance, and I think sometimes you learn as you go along. It’s really important to bring regulators along for that entire journey from the very beginning, so you’re not surprising them.”
She added that including regulators from the start of the AI journey has proven to be a best practice approach.
As adoption continues, Young believes proper governance structures will start to take shape as the industry learns from what works and how to ensure protections are effective.
However, if firms can build a strong foundation for their AI and its governance, the technology can provide sizable benefits. A recent PwC survey of senior US business leaders claimed 60% see responsible AI as a boost to return on investment and organisational efficiency, and 55% say it improved customer experience and innovation.
Over the next decade, Young sees AI being super impactful to how compliance and regulatory change management looks. A report from KPMG highlighted many also share this opinion. It found that 68% of financial services executives plan to leverage generative AI across their compliance and risk processes.
She said, “AI is going to allow us to be more dynamic and more precise. It’s going to allow us to identify areas that maybe didn’t occur to us and it will be much more efficient at looking through a risk and control library for impacted areas. Over time this will also reduce risk because there will be less human error.”
The current reliance on spreadsheets sees humans waste hours each week compiling and filtering through to identify what might be applicable. Instead, an AI tool can allow the user to move more freely across documents, not only in terms of extracting key data from new updates but cross-checking to identify what is relevant and updates that are needed. Instead, firms need to have some form of horizon scanning in place so they can be prepared for changes and avoid some of these damages.
Reactive versus proactive approaches
Many firms face a difficult battle when trying to monitor all of the relevant regulatory updates that come through in a month. Last year, CUBE surveyed over 2,000 senior compliance decision-makers across the US, Canada, Europe, China, India, Australia, and Japan and found that 82% track between 26 and 100 alerts each month, including 39% who track between 51 and 100.
With the pace of change, it is easy for firms to sit in a reactive approach to change management, wait for things to come to them and deal with them. It becomes more like a compliance fire-fighting exercise. However, with the risk of financial penalties, reputational damage and increased regulatory scrutiny, the risks are high.
As such, Young encourages firms to have forward thinkers involved in the change management process that have eyes across all functions and the business. She said, “We really need to work across an entire organization. Do not just think about your department, but you need to think about all the other departments and the three lines of defence. You really need to bring in viewpoints from all different angles to really have a proactive approach.”
Another helpful measure is to work closely with peers and establishing working groups. This is a great melting pot for ideas and help ease the burden of regulatory change.
Regardless of what approach a firm takes, there is one final challenge that can sneak up on firms – a false sense of time. While an update might have a year or two until implementation, that time will go past quickly. Building new policies and testing systems can have lengthy review times, especially if coordinating across jurisdictions.
Young added, “As soon as you become aware that there’s a potential regulatory change be proactive. Start looking at it, determining impact, benchmarking and determining if an action plan is needed.”

Facts Only

Alison Young is Deputy Head of Financial Crime Compliance at Rabobank.
In 2025, the U.S. compliance landscape saw over 10 enforcement actions issued by OFAC.
The U.S. government designated multiple drug cartels as foreign terrorist organizations in 2025.
OFAC added individuals to the Specially Designated Nationals (SDN) list to freeze assets.
FinCEN issued FAQs in 2025 regarding SAR filing obligations, including guidance on continuing activity reviews and risk-based approaches.
AI adoption in financial crime compliance remains limited, with minimal material impact reported by institutions.
A 2025 Infosys study found 95% of 1,500 surveyed executives experienced at least one problematic AI incident.
77% of AI incidents in the Infosys study resulted in direct financial loss.
A PwC survey indicated 60% of senior U.S. business leaders see responsible AI as boosting ROI and efficiency.
KPMG reported 68% of financial services executives plan to use generative AI in compliance and risk processes.
A 2024 CUBE survey found 82% of senior compliance decision-makers track 26-100 regulatory alerts monthly.
39% of respondents in the CUBE survey track 51-100 alerts monthly.
Young recommends proactive regulatory change management, including early impact analysis and stakeholder engagement.

Executive Summary

Regulatory change management remains a significant challenge for financial institutions, with hundreds of new regulations and updates issued annually. In 2025, the U.S. compliance landscape was marked by enforcement actions, including over 10 issued by the Office of Foreign Assets Control (OFAC), alongside efforts to combat drug cartels by designating them as foreign terrorist organizations and freezing assets. Changes to existing frameworks, such as FinCEN's guidance on SAR filing obligations, also emerged, though adoption of these updates varied among institutions. Artificial intelligence (AI) governance became a growing concern, with financial institutions exploring its use in compliance while grappling with risks like financial and reputational damage from AI-related incidents. Alison Young of Rabobank emphasized the need for proactive, cross-functional approaches to regulatory change, including early stakeholder engagement and collaboration with regulators. Looking ahead to 2026, firms are expected to face continued regulatory evolution, with AI poised to play a transformative role in compliance processes, though governance frameworks remain uncertain.
The article highlights the tension between reactive and proactive compliance strategies, noting that many firms struggle with the volume of regulatory alerts, often tracking between 26 and 100 updates monthly. Young advocates for forward-thinking approaches, including horizon scanning and cross-departmental coordination, to mitigate risks of financial penalties and reputational harm. While AI offers potential efficiencies, its adoption requires robust governance to prevent errors and ensure regulatory alignment. The piece underscores the dynamic nature of compliance, where firms must balance immediate regulatory demands with long-term strategic planning.

Full Take

The strongest version of this narrative highlights the escalating complexity of regulatory compliance in financial services, driven by enforcement trends, geopolitical risks (e.g., drug cartels), and technological disruption (AI). It credibly frames compliance as a dynamic, high-stakes function where reactive approaches risk penalties and reputational damage. The emphasis on AI’s dual potential—efficiency gains versus governance risks—reflects a nuanced understanding of innovation’s trade-offs. Young’s advocacy for proactive, cross-functional collaboration aligns with best practices in risk management.
However, the narrative leans heavily on industry perspectives (e.g., Rabobank, PwC, KPMG) without critical examination of potential biases. The focus on AI’s "transformative" role, while acknowledging risks, could subtly reinforce a tech-optimist paradigm that assumes governance gaps will resolve organically. The absence of voices from smaller institutions or non-Western regulators may overlook systemic disparities in compliance capacity. The pattern of framing AI as both a solution and a risk (ARC-0034 "Double Bind") could create pressure to adopt unproven tools under the guise of inevitability.
Root causes include the accelerating pace of regulatory change, which outstrips traditional compliance workflows, and the tension between innovation and control in financial services. The paradigm assumes that technological solutions (e.g., AI) are necessary to manage complexity, potentially sidelining simpler fixes like improved inter-agency coordination or standardized global frameworks.
Implications for human agency are mixed: while AI may reduce manual labor, over-reliance on automated systems could erode institutional knowledge and accountability. The costs of compliance failures disproportionately affect smaller firms, widening competitive gaps. Second-order consequences might include regulatory arbitrage, where firms exploit governance ambiguities, or a chilling effect on innovation due to fear of reputational harm.
Bridge questions:
1. How might regulatory bodies balance the need for AI innovation with the risks of over-reliance on untested systems?
2. What alternative frameworks (beyond AI) could address compliance inefficiencies without introducing new vulnerabilities?
3. How do compliance burdens differ between large and small institutions, and what systemic changes could level the playing field?
Counterstrike scan: A coordinated influence campaign might amplify fears of regulatory lag to push AI adoption, citing efficiency gains while downplaying governance risks. The actual content does not match this pattern, as it explicitly acknowledges AI’s challenges and calls for regulator involvement. The tone remains measured, avoiding hyperbole or urgency tactics.

Sentinel — Human

Confidence

The article shows strong human signals, including natural conversational phrasing, direct quotes with hesitations, and uneven stylistic rhythms. No significant indicators of synthetic generation were detected.

Signals Detected
low severity: Sentence length variance is high, with natural erratic rhythms and conversational phrasing (e.g., 'I think we have a long way to go in this space').
low severity: Text includes idiosyncratic emphasis (e.g., 'Even if it doesn’t look like there’s much to it...') and personal voice (e.g., Young's direct quotes).
low severity: Specific attributions (e.g., 'Infosys study', 'PwC survey') with concrete details, no vague 'experts say' framing.
low severity: No claims attributed to unverifiable sources; quotes align with typical executive commentary.
Human Indicators
Direct quotes from Alison Young with conversational tone and hesitations ('I think we have a long way to go...').
Idiosyncratic phrasing ('scratch the surface of the potential with AI') and digressions (e.g., anecdotal spreadsheet reliance).
Specific, non-template-driven structure with uneven paragraph lengths and organic transitions.